[ 
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16361734#comment-16361734
 ] 

jiatao.tao edited comment on KYLIN-3197 at 2/13/18 2:54 AM:
------------------------------------------------------------

Hi [~xingpeng1]

About Redhat we may need further discussion, it's need a full discussion and 
comparison or we can solve one problem today, but next day, another problem may 
occur. And can you also put your user's ldif?

Besides, I know you use getAdditionalRoles() to solve this problem, for sure, 
but what I say is that should we use this method like this way? Can you find 
some examples like document or other projects use this way? Not asking for how 
it works. We all understand how it works.

 
{code:java}
The signature of getAdditionalRoles() seems not the way you use.

Because the Redhat linux can not support the case insensitive ldap username, 
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty 
Set, so I analyze the spring source code, after 
'getGroupMembershipRoles(userDn, username)', there will call 
'getAdditionalRoles(user, username)' to get the roles again, then I can get the 
real username from the DirContextOperations object.

{code}
Also, I think it may be a requirements or issue that need discussion, but not 
directly get "cn" from  DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch 
the real one from DirContextOperations object by 'username = 
user.getStringAttribute("cn");'
{code}
 I believe we are not the only one met this problem, we should go and find out 
how other people solve this.

Looking forward your opinion.


was (Author: aron.tao):
Hi [~xingpeng1]

About Redhat we may need further discussion, it's need a full discussion and 
comparison or we can solve one problem today, but next day, another problem may 
occur. And can you also put your user's ldif?

Besides, I know you use getAdditionalRoles() to solve this problem, for sure, 
but what I say is that should we use this method like this way? Can you find 
some examples like document or other projects use this way? Not asking for how 
it works. We all understand how it works.

 
{code:java}
The signature of getAdditionalRoles() seems not the way you use.

Because the Redhat linux can not support the case insensitive ldap username, 
that is to say 'getGroupMembershipRoles(userDn, username)' will return empty 
Set, so I analyze the spring source code, after 
'getGroupMembershipRoles(userDn, username)', there will call 
'getAdditionalRoles(user, username)' to get the roles again, then I can get the 
real username from the DirContextOperations object.

{code}
Also, I think it may be a requirements or issue that need discussion, but not 
directly get "cn" from  DirContextOperations.
{code:java}
the username passed in is not real one, but the 'WKH', so I find a way to fetch 
the real one from DirContextOperations object by 'username = 
user.getStringAttribute("cn");'
{code}
 I believe we are not the only one met the problem, we should go and find out 
how other people solve this.

Looking forward your opinion.

> When ldap is opened, I use an ignored case user to login, the page does not 
> respond.
> ------------------------------------------------------------------------------------
>
>                 Key: KYLIN-3197
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3197
>             Project: Kylin
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: v2.3.0
>            Reporter: Peng Xing
>            Assignee: Peng Xing
>            Priority: Major
>              Labels: patch
>             Fix For: Future
>
>         Attachments: 
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, 
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, 
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, 
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, 
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, 
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the 
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use 
> '{color:#ff0000}wkh{color}' to login in, which is normal.
>  But when I use '{color:#ff0000}WKH{color}' to login in, the page does not 
> respond.
>  I analyze the backgroud code, and find the function of 
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
>  String)' has problem.
>  When userDn is 
> "uid={color:#ff0000}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and 
> username is "{color:#ff0000}WKH{color}", then authorities will be empty Set 
> by the follow code:
> {code:java}
> Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn, 
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
>  I have test the patch, please review, thanks!



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to